It copies itself to the following locations: • %WINDIR%\sachostx.exe • %malware execution directory%\temp.bak

It deletes the following file: • %SYSDIR%\hard.lck

The following files are created:

– %SYSDIR%\msvcrl.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.P.9

– %SYSDIR%\sachostp.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.V.1.B

– %SYSDIR%\sachostc.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Locksky.K

– %SYSDIR%\sachostw.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.T.6

– %SYSDIR%\sachosts.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.V.1.C

It tries to download a file:

– The locations are the following: • http://proxy4u.ws:8080/********** • http://proxy4u.ws:8080/********** • http://usproxy2u.ws:8080/********** • http://usproxy2u.ws:8080/********** At the time of writing this file was not online for further investigation.

Registry

The following registry key is added in order to run the process after reboot: